WEBVTT 0:00:03.900000 --> 0:00:09.520000 Instant Response Playbook Example, responding to a phishing attack. 0:00:09.520000 --> 0:00:16.320000 So in the previous video we took an initial foray into playbooks and sort 0:00:16.320000 --> 0:00:21.060000 of understood what they are in relation to a policy as well as the Instant 0:00:21.060000 --> 0:00:27.600000 Response Plan. And we're now going to be taking a look at an example of 0:00:27.600000 --> 0:00:30.880000 a phishing playbook. 0:00:30.880000 --> 0:00:35.920000 So the playbook that we're going to be using, which is publicly available, 0:00:35.920000 --> 0:00:41.540000 was linked in the previous video, in the slides of the previous video. 0:00:41.540000 --> 0:00:46.520000 I will go through the repository and sort of annotate or highlight the 0:00:46.520000 --> 0:00:49.460000 link so you can find it yourself. 0:00:49.460000 --> 0:00:55.580000 But this particular repository is extremely useful regardless as to whether 0:00:55.580000 --> 0:01:04.060000 you're already but without further ado let's not waste any more time. 0:01:04.060000 --> 0:01:08.160000 I'm going to switch over into my browser and we can take a look at the 0:01:08.160000 --> 0:01:14.300000 playbook. And you'll see how detailed you know, playbooks can get or become 0:01:14.300000 --> 0:01:18.600000 as it were. So I'll see you in a couple of seconds. 0:01:18.600000 --> 0:01:24.640000 Alright, so I'm currently within my browser and the repository I was referring 0:01:24.640000 --> 0:01:31.080000 to is the repo on GitLab called public playbooks. 0:01:31.080000 --> 0:01:35.320000 And I'd already described, you know, provided you with a description as 0:01:35.320000 --> 0:01:37.580000 to what it was in the previous video. 0:01:37.580000 --> 0:01:40.600000 But this is an extremely useful repository. 0:01:40.600000 --> 0:01:45.300000 So as the description suggests here, this repository contains all the 0:01:45.300000 --> 0:01:49.740000 Instant Response Playbooks and workflows of companies, SOC. 0:01:49.740000 --> 0:01:51.280000 They're really generalized. 0:01:51.280000 --> 0:01:55.240000 They're not, you know, referring to any particular organization. 0:01:55.240000 --> 0:02:00.460000 The key thing to note is that these playbooks are based on the Instant 0:02:00.460000 --> 0:02:06.340000 Response process, the NIST Instant Response process from the NIST special 0:02:06.340000 --> 0:02:09.860000 publication 861 R2. 0:02:09.860000 --> 0:02:15.120000 So you have phases here, so preparation, detection, analysis, containment, 0:02:15.120000 --> 0:02:17.100000 eradication and recovery, etc. 0:02:17.100000 --> 0:02:25.220000 And what this means is that each playbook contains the procedures for 0:02:25.220000 --> 0:02:31.180000 or the checklist as it were and the workflows for each of these phases. 0:02:31.180000 --> 0:02:35.440000 So when you're dealing, let's say with a phishing attachment or phishing 0:02:35.440000 --> 0:02:39.860000 email, it outlines what you do in each of those phases. 0:02:39.860000 --> 0:02:43.660000 So, you know, before there's an actual phishing email or anything like 0:02:43.660000 --> 0:02:48.360000 that, there's the preparation phase, which, you know, will get to shortly, 0:02:48.360000 --> 0:02:53.340000 and then how to detect and analyze, you know, phishing emails and then 0:02:53.340000 --> 0:02:55.820000 containment or education and recovery, etc. 0:02:55.820000 --> 0:03:00.580000 So the way this GitHub repo is sorted, I should say GitLab repo is sorted, 0:03:00.580000 --> 0:03:05.900000 is if you take a look at the folder, it's actually just explained here. 0:03:05.900000 --> 0:03:11.820000 So IRP, any folder with the prefix IRP, these are individual folders containing 0:03:11.820000 --> 0:03:15.160000 the playbooks themselves within each directory. 0:03:15.160000 --> 0:03:20.480000 There should be a PDF folder where a PDF version is available. 0:03:20.480000 --> 0:03:29.260000 So we'll go ahead and take a look at the playbook that we are supposed 0:03:29.260000 --> 0:03:32.200000 to be taking a look at, which is IRP phishing. 0:03:32.200000 --> 0:03:36.780000 Now, when you open up a playbook folder, you're going to have a README, 0:03:36.780000 --> 0:03:38.240000 which is very, very useful. 0:03:38.240000 --> 0:03:42.840000 And in the README, you can see it says phishing playbook, you have the 0:03:42.840000 --> 0:03:47.780000 scope, and then you have each of the instant response phases, so preparation, 0:03:47.780000 --> 0:03:52.700000 detect, analyze, contain, eradicate, recover, etc. 0:03:52.700000 --> 0:03:58.780000 So what this is referring to is, you know, dealing with a, this is specifically 0:03:58.780000 --> 0:04:06.280000 referring to the type of incident, which in this case is a phishing email. 0:04:06.280000 --> 0:04:08.080000 So that's the README. 0:04:08.080000 --> 0:04:12.200000 Now, within the Workflows folder, you have a list of the, or I should 0:04:12.200000 --> 0:04:17.160000 say a collection of workflow images, and the original workflow that you 0:04:17.160000 --> 0:04:22.260000 can actually modify in the form of the draw.io file format here. 0:04:22.260000 --> 0:04:28.100000 Draw.io is a free flow chart slash diagramming software that you can use 0:04:28.100000 --> 0:04:32.220000 online, you know, via browser, or you can actually download the desktop 0:04:32.220000 --> 0:04:37.260000 application. So this option is available for you if you want to use this 0:04:37.260000 --> 0:04:41.740000 particular workflow and make changes to it or adapt it to, you know, the 0:04:41.740000 --> 0:04:43.860000 needs of the organization. 0:04:43.860000 --> 0:04:48.060000 So we'll not take a look at the images independently because they won't 0:04:48.060000 --> 0:04:52.340000 make much sense, but, you know, this is an example of a very, very well 0:04:52.340000 --> 0:04:54.720000 -defined phishing playbook. 0:04:54.720000 --> 0:04:59.400000 So to begin with, you can see you have the scope, preparation, etc. 0:04:59.400000 --> 0:05:01.840000 So let's go through it sequentially. 0:05:01.840000 --> 0:05:05.480000 So you can see phase one preparation. 0:05:05.480000 --> 0:05:07.040000 What does this entail? 0:05:07.040000 --> 0:05:12.060000 Well, it's essentially telling you how to prepare for, you know, phishing 0:05:12.060000 --> 0:05:13.200000 incident as it were. 0:05:13.200000 --> 0:05:17.860000 So firstly, create and maintain a list of all domains owned by the company. 0:05:17.860000 --> 0:05:22.980000 This can prevent you from taking actions against our own domains and then, 0:05:22.980000 --> 0:05:26.800000 you know, create an email template to notify all employees of ongoing 0:05:26.800000 --> 0:05:28.800000 phishing campaigns against the organization. 0:05:28.800000 --> 0:05:35.880000 To contact hosting companies for a domain takedown to inform third parties 0:05:35.880000 --> 0:05:39.820000 to take actions against phishing on their infrastructure. 0:05:39.820000 --> 0:05:42.600000 So Microsoft, FedEx, Apple, etc. 0:05:42.600000 --> 0:05:47.900000 You also need to ensure that mail, anti -malware, anti-spam or anti-phishing 0:05:47.900000 --> 0:05:49.720000 solutions are in place. 0:05:49.720000 --> 0:05:51.200000 So already very, very actionable. 0:05:51.200000 --> 0:05:53.880000 Remember, this is the preparation phase. 0:05:53.880000 --> 0:05:59.140000 You then need to ensure that users know how to report a fish, as it were. 0:05:59.140000 --> 0:06:02.520000 And then in terms of detection, you need to ensure that detection exists 0:06:02.520000 --> 0:06:06.780000 or detection mechanisms exist for office documents that spawn processes 0:06:06.780000 --> 0:06:15.820000 like a PowerShell session, command shell that utilize WMI, MSHTA, etc. 0:06:15.820000 --> 0:06:19.580000 And then you need to perform a fired rule to ensure all aspects of the 0:06:19.580000 --> 0:06:20.480000 playbook are working. 0:06:20.480000 --> 0:06:22.840000 That's very, very important. 0:06:22.840000 --> 0:06:26.980000 And then of course, you know, there's other procedures or steps here. 0:06:26.980000 --> 0:06:31.720000 Now, under tool axis and provisioning, you can refer to the tool documentation 0:06:31.720000 --> 0:06:37.080000 here. But still under preparation, you have the asset list. 0:06:37.080000 --> 0:06:38.900000 So, you know, this is very important. 0:06:38.900000 --> 0:06:43.300000 So a list of assets and owners should exist and be available for the following. 0:06:43.300000 --> 0:06:48.960000 So custom assets, owners, contacts, pre -authorized actions and then company 0:06:48.960000 --> 0:06:54.740000 assets. In terms of type, the types of assets, the type of asset inventories 0:06:54.740000 --> 0:06:59.320000 needed, you need an inventory of endpoint servers, network equipment, 0:06:59.320000 --> 0:07:03.280000 security appliances, as well as, you know, the various network ranges 0:07:03.280000 --> 0:07:05.480000 and subnets, all of that good stuff. 0:07:05.480000 --> 0:07:10.460000 So that's not really important per se, you know, in terms of what I wanted 0:07:10.460000 --> 0:07:15.800000 to showcase. Let me just collapse all of this so that we go through them 0:07:15.800000 --> 0:07:20.120000 sequentially. So we're now getting into the actual detection and response 0:07:20.120000 --> 0:07:26.320000 phase. So let's take a look at how we, you know, based on this playbook, 0:07:26.320000 --> 0:07:31.380000 how we should go about detecting phishing. 0:07:31.380000 --> 0:07:33.100000 So this is the workflow. 0:07:33.100000 --> 0:07:36.560000 Here, as you can see, as I described in the previous video workflow is 0:07:36.560000 --> 0:07:41.060000 exactly as the name suggests, a workflow of actions or decisions to make, 0:07:41.060000 --> 0:07:45.720000 depending on the type or the, you know, severity of the instant, et cetera. 0:07:45.720000 --> 0:07:50.900000 So in terms of detection, you know, you start off by identifying threat 0:07:50.900000 --> 0:07:55.420000 indicators, which could, you know, essentially come from alerts. 0:07:55.420000 --> 0:08:00.600000 So they could come in the form of alerts, more specifically tickets, seem 0:08:00.600000 --> 0:08:07.800000 antivirus, EDR alerts, reports via DNS web proxy errors from bounced messages. 0:08:07.800000 --> 0:08:10.100000 You also have notifications. 0:08:10.100000 --> 0:08:14.960000 So these are, you know, essentially entry points or where indicators will 0:08:14.960000 --> 0:08:19.360000 be coming from. So you may get notifications from users saying, Hey, you 0:08:19.360000 --> 0:08:22.620000 know, this looks a bit interesting or this looks like a phishing email 0:08:22.620000 --> 0:08:23.980000 from recipients. 0:08:23.980000 --> 0:08:26.960000 Third parties, ISPs, mail providers. 0:08:26.960000 --> 0:08:30.220000 Okay. So that's the first step in terms of detection. 0:08:30.220000 --> 0:08:32.980000 You then have identifying the risk factors. 0:08:32.980000 --> 0:08:37.480000 So the common risk factors are, you know, credential theft, malware delivery, 0:08:37.480000 --> 0:08:42.360000 criminal activities and organization specific risk factors are, you know, 0:08:42.360000 --> 0:08:44.740000 reputational damages, all that good stuff. 0:08:44.740000 --> 0:08:48.860000 Now, the more important aspects of the workflow come into place here where 0:08:48.860000 --> 0:08:50.180000 you have data collection. 0:08:50.180000 --> 0:08:53.940000 So you need to be able to get information about the domain. 0:08:53.940000 --> 0:09:00.000000 So that means reputation, information or reputation scores, the registrar, 0:09:00.000000 --> 0:09:01.880000 the owner of the domain. 0:09:01.880000 --> 0:09:07.600000 If that is publicly visible, you also have the IP address, multi stage 0:09:07.600000 --> 0:09:12.100000 or redirect. And then the technologies, you know, that are being used 0:09:12.100000 --> 0:09:14.040000 on that particular domain. 0:09:14.040000 --> 0:09:19.740000 So, you know, wordpress, jumla, et cetera, you then have categorization. 0:09:19.740000 --> 0:09:23.480000 So this is where you sort of have your, the beginning of triage. 0:09:23.480000 --> 0:09:25.320000 So you determine the type. 0:09:25.320000 --> 0:09:31.400000 So is it a phishing email, spam, spear phishing, whaling, BEC or Office 0:09:31.400000 --> 0:09:33.120000 365, four rules. 0:09:33.120000 --> 0:09:36.720000 That brings us into triage where you determine the impact. 0:09:36.720000 --> 0:09:40.600000 So the impact of the message type, financial impact, you then determine 0:09:40.600000 --> 0:09:45.080000 the scope. So the number of people who received the email or the message, 0:09:45.080000 --> 0:09:49.220000 the number of people opened the attachments or links, the number of people 0:09:49.220000 --> 0:09:50.620000 who submitted the information. 0:09:50.620000 --> 0:09:54.080000 And then you also determine if it's a false positive. 0:09:54.080000 --> 0:09:59.780000 So if it is a false positive, then yes, then you obviously stop, right? 0:09:59.780000 --> 0:10:03.520000 If it's not a false positives, you move on to the next phase of instant 0:10:03.520000 --> 0:10:05.560000 response, which is analysis. 0:10:05.560000 --> 0:10:08.860000 You know, in the NIST framework, it's detection and analysis. 0:10:08.860000 --> 0:10:12.900000 So they're part of the same process, but structurally, you know, these 0:10:12.900000 --> 0:10:13.960000 are going to be different. 0:10:13.960000 --> 0:10:18.840000 So we'll go right over here into analyze. 0:10:18.840000 --> 0:10:23.000000 So this is the analysis workflow for phishing. 0:10:23.000000 --> 0:10:26.620000 So the previous phase, as you can see, is marked here as detect, which 0:10:26.620000 --> 0:10:29.680000 is correct. And then you need to perform some verification. 0:10:29.680000 --> 0:10:34.180000 Now, in the next course, we'll be diving deep into, you know, detection 0:10:34.180000 --> 0:10:38.400000 and analysis. This will all, you know, start to come to the fore. 0:10:38.400000 --> 0:10:42.140000 But there's a, you know, verification, which I've mentioned in many in 0:10:42.140000 --> 0:10:52.160000 this course and in the previous course. 0:10:52.160000 --> 0:10:56.520000 Would be primarily what, you know, SOC analyst, etc. 0:10:56.520000 --> 0:10:59.060000 So, you know, you rule out false positives. 0:10:59.060000 --> 0:11:01.520000 Now, is it a critical incident? 0:11:01.520000 --> 0:11:06.880000 If yes, then you run a different playbook, which is the critical incident 0:11:06.880000 --> 0:11:10.860000 playbook, which is also available in this repository as an example. 0:11:10.860000 --> 0:11:15.940000 If it's not a critical incident, then, you know, you identify the indicators 0:11:15.940000 --> 0:11:19.160000 of compromise. So you validate the hashes. 0:11:19.160000 --> 0:11:22.780000 So virus total is an example of a tool listed there. 0:11:22.780000 --> 0:11:27.500000 Validate the links again, virus total email headers or email head analysis 0:11:27.500000 --> 0:11:35.700000 ID subject attachments, you know, the from address ID other you identify 0:11:35.700000 --> 0:11:39.360000 other addresses domains and IP search threat until sources. 0:11:39.360000 --> 0:11:43.240000 And then perform disk forensics on the recipients endpoints of the person 0:11:43.240000 --> 0:11:45.220000 who received the phishing email. 0:11:45.220000 --> 0:11:48.300000 You then moving or you move on to scan. 0:11:48.300000 --> 0:11:49.380000 So you scan the enterprise. 0:11:49.380000 --> 0:11:53.800000 So you update the spam filter, you update firewall, intrusion detection 0:11:53.800000 --> 0:11:58.920000 systems, etc. So rules with the IOCs that you found. 0:11:58.920000 --> 0:12:04.960000 And then search all mail folders, you know, for the IOCs and then search 0:12:04.960000 --> 0:12:07.280000 endpoints for IOCs with EDR. 0:12:07.280000 --> 0:12:10.620000 And then you move to, you know, updating the scope. 0:12:10.620000 --> 0:12:14.920000 So you update the lists of affected recipient addresses. 0:12:14.920000 --> 0:12:19.340000 They affected endpoints, affected legal entities, affected business units. 0:12:19.340000 --> 0:12:25.040000 Now, are all all affected endpoints identified? 0:12:25.040000 --> 0:12:28.840000 If no, then you, you know, move to scope validation where you say you 0:12:28.840000 --> 0:12:34.020000 search mailboxes for IOCs and you search various endpoints for IOCs. 0:12:34.020000 --> 0:12:38.520000 Now, if you've identified all affected endpoints, then you send communications 0:12:38.520000 --> 0:12:43.180000 to the internal security teams to the email team, depending on your service 0:12:43.180000 --> 0:12:47.680000 provider. So on Prem or cloud and the firewall team or the IT team as 0:12:47.680000 --> 0:12:53.100000 it were, which what that means is they then handled the containment phase. 0:12:53.100000 --> 0:12:55.640000 So you can see it's starting to make sense. 0:12:55.640000 --> 0:13:00.040000 So the containment and eradication workflow is listed here as well. 0:13:00.040000 --> 0:13:04.140000 So the previous phase listed is the analysis phase. 0:13:04.140000 --> 0:13:08.080000 So what's the first thing done here within the containment slash eradication 0:13:08.080000 --> 0:13:13.120000 phase? Well, you block C2 if there is C2 or email traffic. 0:13:13.120000 --> 0:13:18.180000 So you update spam filters, update the firewall proxy, etc. 0:13:18.180000 --> 0:13:22.960000 The various rules, black hole DNS and you submit links to partners. 0:13:22.960000 --> 0:13:25.320000 You then have the actions taken by the user. 0:13:25.320000 --> 0:13:29.380000 So you know, you're now starting to understand, you know, what exactly 0:13:29.380000 --> 0:13:33.700000 happened, which will then direct the containment. 0:13:33.700000 --> 0:13:37.600000 So have the emails been read, have attachments been open, have links been 0:13:37.600000 --> 0:13:42.600000 clicked. Now, if they did click on stuff, then, you know, the next question 0:13:42.600000 --> 0:13:47.460000 is, as a malware infection occurred, if not, you delete the emails. 0:13:47.460000 --> 0:13:51.900000 But if there is the there is a separate playbook, which is, you know, 0:13:51.900000 --> 0:13:55.440000 the malware playbook, which again is present within this GitHub repo. 0:13:55.440000 --> 0:13:58.440000 But let's assume there isn't a malware infection. 0:13:58.440000 --> 0:14:00.260000 You then have deleting email. 0:14:00.260000 --> 0:14:04.520000 So you delete from the user's inbox, you know, spam tools, email admin 0:14:04.520000 --> 0:14:09.220000 console, delete the downloaded attachments and then you use the EDR or 0:14:09.220000 --> 0:14:13.920000 CIM and C, I should say, to scan the enterprise and you delete emails 0:14:13.920000 --> 0:14:15.080000 from the server. 0:14:15.080000 --> 0:14:19.880000 So both cloud and on prem and then you close monitoring. 0:14:19.880000 --> 0:14:22.500000 So this is, you know, close monitoring. 0:14:22.500000 --> 0:14:27.680000 So you monitor for related incoming messages, so Internet connections 0:14:27.680000 --> 0:14:31.500000 to the IOCs that you identified previously. 0:14:31.500000 --> 0:14:36.980000 So you check whether there's any interesting activity that is related 0:14:36.980000 --> 0:14:41.100000 to the initial phishing email, you know, you then also check for new files 0:14:41.100000 --> 0:14:46.080000 that match hashes or the other types of IOCs you identified. 0:14:46.080000 --> 0:14:51.040000 And then, of course, are all affected endpoints contained. 0:14:51.040000 --> 0:14:56.260000 If yes, you then move to the recovery, if not, and you discover new IOC, 0:14:56.260000 --> 0:14:59.060000 then you go to the previous phase back to analysis. 0:14:59.060000 --> 0:15:03.820000 So for every new IOC, you have to go ahead and perform analysis again. 0:15:03.820000 --> 0:15:07.400000 And then finally, you have, you know, recovery. 0:15:07.400000 --> 0:15:10.660000 So the previous phase is containment eradication. 0:15:10.660000 --> 0:15:16.360000 You know, your update defenses have all affected endpoints been identified. 0:15:16.360000 --> 0:15:19.640000 Then if yes, then, you know, move to the next phase, which is post incident 0:15:19.640000 --> 0:15:22.580000 activity, if not data collection. 0:15:22.580000 --> 0:15:26.640000 So determine if the spam filters block legitimate emails, proxy firewall, 0:15:26.640000 --> 0:15:31.360000 etc. So, you know, blocking legitimate sites, you go back to update defenses. 0:15:31.360000 --> 0:15:35.740000 So you determine which spam filters firewall, EDR, etc. 0:15:35.740000 --> 0:15:40.560000 Rules can stay to prevent infection versus which ones need to be removed 0:15:40.560000 --> 0:15:42.600000 to restore functionality. 0:15:42.600000 --> 0:15:46.760000 And then again, have all infected or all affected endpoints been identified. 0:15:46.760000 --> 0:15:50.260000 If the answer is yes, you move to post incident. 0:15:50.260000 --> 0:15:56.220000 So post incident, you know, previous phase is that in this particular 0:15:56.220000 --> 0:15:58.300000 case, obviously detection. 0:15:58.300000 --> 0:16:01.580000 So incident review, what worked, what didn't work. 0:16:01.580000 --> 0:16:04.100000 You then move to updating the policy and procedures. 0:16:04.100000 --> 0:16:07.940000 So in terms of documentation, pretty much what we explained earlier on 0:16:07.940000 --> 0:16:12.580000 in this section of the course, the policies, playbooks, runbooks, procedures, 0:16:12.580000 --> 0:16:16.240000 etc. And then there's updates to the detection rules. 0:16:16.240000 --> 0:16:21.020000 So think of the SEAM, anti spam, malware, gateway, EDRs and other security 0:16:21.020000 --> 0:16:22.680000 solutions in place. 0:16:22.680000 --> 0:16:26.700000 You then re review or review the defensive posture. 0:16:26.700000 --> 0:16:31.160000 So you schedule a review of newly introduced rules in six months. 0:16:31.160000 --> 0:16:35.280000 And you then ask yourself are the following still applicable, the spam 0:16:35.280000 --> 0:16:39.220000 filter rules, the firewall proxy rules for C2s. 0:16:39.220000 --> 0:16:44.120000 If that was indeed the case, that there was a C2 communication channel 0:16:44.120000 --> 0:16:49.340000 established. AVDR custom signatures and the intrusion prevention system 0:16:49.340000 --> 0:16:53.780000 signatures. You then have user awareness training and you calculate the 0:16:53.780000 --> 0:16:56.960000 incidence cost and that brings you to the end here. 0:16:56.960000 --> 0:17:02.660000 So this is an example of a very, very well defined playbook. 0:17:02.660000 --> 0:17:06.120000 In this case, it's a phishing playbook, but you can see it. 0:17:06.120000 --> 0:17:11.560000 It pretty much encompasses all phases of the incident response lifecycle, 0:17:11.560000 --> 0:17:15.320000 you know, beginning with preparing for a phishing incident or phishing 0:17:15.320000 --> 0:17:21.080000 related incident all the way to detection and analysis, containment or 0:17:21.080000 --> 0:17:22.560000 education, recovery, etc. 0:17:22.560000 --> 0:17:28.780000 Now, as mentioned, you know, that particular playbook, there's also the 0:17:28.780000 --> 0:17:33.080000 other linked playbooks that have to do with whether you're dealing with 0:17:33.080000 --> 0:17:38.020000 a malware infection or let's say critical incident in the event that, 0:17:38.020000 --> 0:17:42.260000 you know, the phishing email or, you know, the phishing incident actually 0:17:42.260000 --> 0:17:43.600000 led to a malware infection. 0:17:43.600000 --> 0:17:48.700000 You then have a different playbook and consequently workflow that then, 0:17:48.700000 --> 0:17:50.720000 you know, tells you what to do there. 0:17:50.720000 --> 0:17:54.620000 So let even if we take a look at it from preparation, actually, let's 0:17:54.620000 --> 0:17:56.560000 skip that because that's not important here. 0:17:56.560000 --> 0:17:59.180000 But if we take a look at detection. 0:17:59.180000 --> 0:18:02.080000 So, you know, pretty much follows the same. 0:18:02.080000 --> 0:18:03.680000 This is a bit more advanced now. 0:18:03.680000 --> 0:18:05.660000 So we'll not go too deep into that. 0:18:05.660000 --> 0:18:10.480000 But if we go into, let's say, analyze, you can see you need to perform 0:18:10.480000 --> 0:18:12.340000 verification again. 0:18:12.340000 --> 0:18:17.760000 If it is, you run the critical incident incident response playbook. 0:18:17.760000 --> 0:18:22.140000 Otherwise, you know, you identify IOCs, you then extract the IOCs using 0:18:22.140000 --> 0:18:24.420000 a sandboxed environment. 0:18:24.420000 --> 0:18:29.860000 And then you submit the sample to partners or if you have an, if you have 0:18:29.860000 --> 0:18:34.360000 a malware analyst within the team, you give it to them to analyze it. 0:18:34.360000 --> 0:18:37.840000 But you then go ahead and scan the enterprise and you make, you know, 0:18:37.840000 --> 0:18:41.340000 various updates to the EDR policy, so on and so forth. 0:18:41.340000 --> 0:18:44.800000 Then there's some important steps here, like what was accessed. 0:18:44.800000 --> 0:18:47.020000 So are there any signs of lateral movement? 0:18:47.020000 --> 0:18:50.640000 You then review the firewall logs, your review net flows. 0:18:50.640000 --> 0:18:52.180000 You then update the scope. 0:18:52.180000 --> 0:18:57.320000 So, you know, you update the list of affected endpoints affected syntax 0:18:57.320000 --> 0:18:59.700000 entities and affected clients. 0:18:59.700000 --> 0:19:04.940000 And then you ask yourself the question again, are all affected endpoints 0:19:04.940000 --> 0:19:06.700000 identified, so on and so forth. 0:19:06.700000 --> 0:19:09.300000 So this is a great starting point. 0:19:09.300000 --> 0:19:10.820000 I'm not going to go through all of them. 0:19:10.820000 --> 0:19:16.000000 This is a great starting point for any incident responder or anyone looking 0:19:16.000000 --> 0:19:17.960000 to get into incident response. 0:19:17.960000 --> 0:19:21.760000 If you're already an incident responder, then I'm sure this will help 0:19:21.760000 --> 0:19:25.840000 you in the sense that you can use some of these playbooks more specifically, 0:19:25.840000 --> 0:19:29.380000 the workflows and modify them yourself. 0:19:29.380000 --> 0:19:34.460000 So to sort of summarize this demo to finalize it, if I go back to the 0:19:34.460000 --> 0:19:39.900000 phishing workflows folder here and I just download the draw.io template, 0:19:39.900000 --> 0:19:45.380000 which I'll do. You can then utilize draw .io and import it and make changes 0:19:45.380000 --> 0:19:48.640000 to it. So I'm just going to download it and then open up draw.io, which 0:19:48.640000 --> 0:19:49.760000 is completely free. 0:19:49.760000 --> 0:19:51.120000 So just give me a second. 0:19:51.120000 --> 0:19:56.240000 All right, so I've downloaded the draw .io workflow template from the GitHub 0:19:56.240000 --> 0:20:01.520000 repo and you can access draw.io by just searching for it on Google. 0:20:01.520000 --> 0:20:07.720000 Or you can go to app.diagrams .net and then you can upload. 0:20:07.720000 --> 0:20:13.100000 I'll just create a new one and then I'll say import from my device. 0:20:13.100000 --> 0:20:18.220000 So I'm just going to import the downloaded workflow, the draw.io workflow 0:20:18.220000 --> 0:20:21.240000 template. And I'll show you how it looks and you'll be able to modify 0:20:21.240000 --> 0:20:23.000000 it. So just give me a second. 0:20:23.000000 --> 0:20:30.340000 All right, so I just imported it and you can see this is the more specifically. 0:20:30.340000 --> 0:20:32.600000 You have various tabs at the bottom here. 0:20:32.600000 --> 0:20:35.940000 So detect, analyze, contain, eradicate, recover, post instance. 0:20:35.940000 --> 0:20:39.780000 This is really awesome because you can customize all of them, you know, 0:20:39.780000 --> 0:20:42.300000 from one particular master template here. 0:20:42.300000 --> 0:20:46.700000 So you can pretty much modify these based on your own requirements. 0:20:46.700000 --> 0:20:50.420000 And then when you're done with them, you can export it as, you know, in 0:20:50.420000 --> 0:20:55.400000 different formats, PDF, SVG, JPEG, PNG, etc. 0:20:55.400000 --> 0:20:59.780000 And, you know, you have pretty much have the ability to modify any, which 0:20:59.780000 --> 0:21:00.980000 is what I really like. 0:21:00.980000 --> 0:21:05.000000 So this is a great starting point for anyone, you know, again, looking 0:21:05.000000 --> 0:21:10.360000 to learn more about playbooks, understand how, you know, they are typically 0:21:10.360000 --> 0:21:12.840000 laid out or designed. 0:21:12.840000 --> 0:21:15.360000 And what a proper one looks like. 0:21:15.360000 --> 0:21:19.360000 So with that being said, that brings us to the end of the, you know, practical 0:21:19.360000 --> 0:21:22.040000 demonstration section of this video. 0:21:22.040000 --> 0:21:26.240000 All right, so that was an example of a fishing playbook. 0:21:26.240000 --> 0:21:30.400000 Hopefully you found that useful, but definitely go through that repository, 0:21:30.400000 --> 0:21:34.420000 you know, just read around and navigate browser around. 0:21:34.420000 --> 0:21:38.720000 You don't have to have any particular goal in mind, you know, just by 0:21:38.720000 --> 0:21:42.640000 going through it, you learn a lot about what your job will be and what 0:21:42.640000 --> 0:21:46.260000 you'll be doing, you know, when it comes down to incident response. 0:21:46.260000 --> 0:21:48.880000 But with that being said, that's going to be it for this video. 0:21:48.880000 --> 0:21:51.260000 And I will be seeing you in the next video.